analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

uTorrent.exe

Full analysis: https://app.any.run/tasks/1b671628-c753-492e-a684-85b23097aa07
Verdict: Malicious activity
Analysis date: October 14, 2019, 04:10:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
adware
pua
lavasoft
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C182559F4C69A19FDF515DB174A9A85D

SHA1:

FF190CA4F7E75AABF80D58D5B785BFB107313E34

SHA256:

080AE270B766017B3080126F4116E4C615697B9728AF8372051CDE32CCAEB06C

SSDEEP:

98304:cG5QgkB5McIpyqjH+JUkw72wanLsNz1c7G:cG5q6cCPjHsUV72wBJWG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • GenericSetup.exe (PID: 3148)
      • installer.exe (PID: 3808)
    • Loads dropped or rewritten executable

      • GenericSetup.exe (PID: 3148)
    • LAVASOFT was detected

      • installer.exe (PID: 3808)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • uTorrent.exe (PID: 388)
    • Reads Environment values

      • GenericSetup.exe (PID: 3148)
    • Reads the Windows organization settings

      • GenericSetup.exe (PID: 3148)
    • Reads Windows owner or organization settings

      • GenericSetup.exe (PID: 3148)
    • Searches for installed software

      • GenericSetup.exe (PID: 3148)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

ProductVersion: 3.5.5.45311
ProductName: µTorrent
OriginalFileName: uTorrent.exe
LegalCopyright: ©2019 BitTorrent, Inc. All Rights Reserved.
InternalName: uTorrent.exe
FileVersion: 3.5.5.45311
FileDescription: µTorrent
CompanyName: BitTorrent Inc.
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 3.5.5.45311
FileVersionNumber: 3.5.5.45311
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x148d4
UninitializedDataSize: -
InitializedDataSize: 83968
CodeSize: 104448
LinkerVersion: 6
PEType: PE32
TimeStamp: 2011:04:18 20:54:06+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 18-Apr-2011 18:54:06
Detected languages:
  • English - United States
CompanyName: BitTorrent Inc.
FileDescription: µTorrent
FileVersion: 3.5.5.45311
InternalName: uTorrent.exe
LegalCopyright: ©2019 BitTorrent, Inc. All Rights Reserved.
OriginalFilename: uTorrent.exe
ProductName: µTorrent
ProductVersion: 3.5.5.45311

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 18-Apr-2011 18:54:06
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000197C0
0x00019800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.60823
.rdata
0x0001B000
0x00004490
0x00004600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.38378
.data
0x00020000
0x00005A68
0x00003200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.37934
.sxdata
0x00026000
0x00000004
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.0203931
.rsrc
0x00027000
0x0000CC68
0x0000CE00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.33998

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.01523
1663
Latin 1 / Western European
English - United States
RT_MANIFEST
2
3.18403
296
Latin 1 / Western European
UNKNOWN
RT_ICON
3
5.54032
9640
Latin 1 / Western European
UNKNOWN
RT_ICON
4
5.09168
38056
Latin 1 / Western European
UNKNOWN
RT_ICON
5
1.43775
52
Latin 1 / Western European
English - United States
RT_STRING
500
3.09294
184
Latin 1 / Western European
English - United States
RT_DIALOG
MAINICON
2.50471
34
Latin 1 / Western European
UNKNOWN
RT_GROUP_ICON

Imports

KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start utorrent.exe #LAVASOFT installer.exe genericsetup.exe

Process information

PID
CMD
Path
Indicators
Parent process
388"C:\Users\admin\AppData\Local\Temp\uTorrent.exe" C:\Users\admin\AppData\Local\Temp\uTorrent.exe
explorer.exe
User:
admin
Company:
BitTorrent Inc.
Integrity Level:
MEDIUM
Description:
µTorrent
Version:
3.5.5.45311
3808.\installer.exeC:\Users\admin\AppData\Local\Temp\7zS4812B7A9\installer.exe
uTorrent.exe
User:
admin
Company:
adaware
Integrity Level:
MEDIUM
Description:
µTorrent
Version:
2.8.3.1680
3148"C:\Users\admin\AppData\Local\Temp\7zS4812B7A9\GenericSetup.exe" C:\Users\admin\AppData\Local\Temp\7zS4812B7A9\GenericSetup.exe C:\Users\admin\AppData\Local\Temp\7zS4812B7A9\GenericSetup.exe
installer.exe
User:
admin
Company:
adaware
Integrity Level:
HIGH
Description:
µTorrent
Version:
2.8.3.1680
Total events
10 007
Read events
9 989
Write events
0
Delete events
0

Modification events

No data
Executable files
14
Suspicious files
9
Text files
92
Unknown types
0

Dropped files

PID
Process
Filename
Type
388uTorrent.exeC:\Users\admin\AppData\Local\Temp\7zS4812B7A9\.git\objects\00\111142ca6f04cef5a96c4632406483ce149617binary
MD5:9AD46E91924B438619294E92E7D9B6DF
SHA256:4A83E404E909E4DB9419BE46F8609373C60EE038A5EEF513E0D4E95CA8493A14
388uTorrent.exeC:\Users\admin\AppData\Local\Temp\7zS4812B7A9\.git\objects\0b\a0ab35d7324c8a2af63693aa9d22e5165d459fbinary
MD5:4060FE829929228BEA921DB12921CDC8
SHA256:F94A5809948F83F5B4DB5209BCFB7EFAAA4686B825A7C6D171782375A1D1A090
388uTorrent.exeC:\Users\admin\AppData\Local\Temp\7zS4812B7A9\.git\objects\09\5a057d4a651ec412d06b59e32e9b02871592d5binary
MD5:FDCB87E6ADA8B01F1919E9AB3CD5A5FE
SHA256:956B92A325A5CA0CDC056C5D7A592E0F1D1BFA26C4EF7BFC3A90621D56A9996C
388uTorrent.exeC:\Users\admin\AppData\Local\Temp\7zS4812B7A9\.git\objects\b4\1e4307dd14a38322b6ace5a52df48ab16a428abinary
MD5:6EABBF8DE4D7C0F52437F9A72C394CDF
SHA256:E56B19DB290AB50A38A9EEF74D64809770BF72001B8A62E22AB30E9D9349A266
388uTorrent.exeC:\Users\admin\AppData\Local\Temp\7zS4812B7A9\.git\objects\47\699e904c1e5076895823b80ff38d0a2e0092b0binary
MD5:E0E3B909B50D5DF4F35A69DD758D318E
SHA256:60FBF0C8573C45429459DD4F98ACB56DD969E48E917F0AE814F093D6D231392A
388uTorrent.exeC:\Users\admin\AppData\Local\Temp\7zS4812B7A9\.git\objects\bc\daa390fe7a669370c8b86458415976dc156bb3binary
MD5:5BA2CA8532FBE7392E1FB865C8695B18
SHA256:65BC44BFB317D02DFB905D649ABA737099979D10410E3C7EBF8CF03B6B187DC2
388uTorrent.exeC:\Users\admin\AppData\Local\Temp\7zS4812B7A9\.git\objects\d1\3aa9fc82cf856082eff7c72b05badbebdd97b8binary
MD5:958B5BC337CC06D7159D5C9ED8AA0514
SHA256:AF600AD11468E82DBF83A77119C7B01D6A9739AFAF1EF7398A37E93F692FAF9C
388uTorrent.exeC:\Users\admin\AppData\Local\Temp\7zS4812B7A9\.git\objects\a4\ad5c82f11b179ad7a97182a5aba671b30ef375binary
MD5:15F46C6D0CB1F14BE3178A4590D14435
SHA256:2F20D35D71AC03F1FE94FDDCAC77CD0C7783D8E12EBC00A1BDBF8D36A9CE4F39
388uTorrent.exeC:\Users\admin\AppData\Local\Temp\7zS4812B7A9\Carrier.exeexecutable
MD5:0A73AFD555D76DAF5BA20418186A1176
SHA256:D480AC47F7DCF80DA141520284CF4C0E3F1421755CED37B699BDCC8E5809EAE3
388uTorrent.exeC:\Users\admin\AppData\Local\Temp\7zS4812B7A9\.git\objects\30\d74d258442c7c65512eafab474568dd706c430binary
MD5:9E20566B6F925DE91B2EC32A69EE002C
SHA256:4CD5A85445E1939A13A0BC9304CBD191970AFEA2C37AD14ED0769892AD16D50D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
5
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3808
installer.exe
POST
200
104.18.88.101:80
http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart
US
text
29 b
whitelisted
3808
installer.exe
POST
200
104.18.88.101:80
http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart
US
text
29 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3148
GenericSetup.exe
104.16.235.79:443
sos.adaware.com
Cloudflare Inc
US
shared
3808
installer.exe
104.18.88.101:80
flow.lavasoft.com
Cloudflare Inc
US
shared
3148
GenericSetup.exe
104.18.87.101:443
flow.lavasoft.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
www.google.com
  • 216.58.207.68
whitelisted
sos.adaware.com
  • 104.16.235.79
  • 104.16.236.79
whitelisted
flow.lavasoft.com
  • 104.18.88.101
  • 104.18.87.101
whitelisted

Threats

PID
Process
Class
Message
3808
installer.exe
A Network Trojan was detected
ET MALWARE Lavasoft PUA/Adware Client Install
No debug info